Step 5 – Establish trust between PRIV and CORP forests
The PRIV and CONTOSO domain controllers are bound by a trust which allows for users in the PRIV domain to access resources on the CORP domain.
Prior to establishing trust, each domain controller must be configured for DNS name resolution for its counterpart, based on the other domain controller/DNS server’s IP address.
Ensure that there are no other DNS servers which are providing domain naming services to computers in either domain. If the virtual machines have network interfaces connected to public networks, it may be necessary to override the Windows network interface settings to ensure a DHCP-supplied DNS server address is not used by any virtual machines.
(Optional) On CORPDC, launch PowerShell, and type the following command.
nslookup -qt=ns priv.contoso.local.Ensure that the output indicates a nameserver record for this domain.
(Optional) Alternatively, use DNS Manager (located in Start, Application Tools, DNS) to confirm DNS name forwarding for the PRIV domain to PRIVDC’s IP address. Using this program, expand the nodes CORPDC, Forward Lookup Zones, contoso.local, and ensure a key named priv is present as a Name Server (NS) type.
.jpeg "PAM_GS_DNS_Manager")
On PAMSRV, establish one-way trust with CORPDC so that the CORP domain controller trusts the PRIV forest.
Ensure you are logged into PAMSRV as a PRIV domain administrator (such as PRIV\Administrator).
Launch PowerShell.
Type the following PowerShell commands, and enter the credential for the CORP domain administrator (e.g., CONTOSO\Administrator) when prompted, if needed.
$ca = get-credential New-PAMTrust -SourceForest "contoso.local" -Credentials $ca New-PAMDomainConfiguration -SourceDomain "contoso" -Credentials $ca
On CORPDC, enable read access to AD by PRIV administrators and the monitoring service.
Ensure you are logged into CORPDC as a Contoso domain administrator (such as Contoso\Administrator).
Launch Active Directory Users and Computers.
Right click on the domain contoso.local and select Delegate Control.
On the Selected users and groups tab, click Add.
On the Select Users, Computers, or Groups popup, click Locations and change the location to priv.contoso.local. On the object name, type Domain Admins and click Check Names. When a popup appears, for the username type priv\administrator and the password.
After Domain Admins, type "; MIMMonitor". After the names Domain Admins and MIMMonitor are underlined, click OK, then click Next.
In the list of common tasks, select "Read all user information", then click Next and click Finish.
Close Active Directory Users and Computers.
On PAMSRV, start the monitoring and component services.
Ensure you are logged into PAMSRV as a PRIV domain administrator (such as PRIV\Administrator).
Launch PowerShell.
Type the following PowerShell commands.
net start "PAM Component service" net start "PAM Monitoring service"
(optional) Verify that SID history is enabled and SID filtering is disabled on the trust from the CORP domain to the PRIV domain.
Ensure you are logged into CORPDC as a domain administrator (such as CONTOSO\Administrator).
Open a PowerShell window.
Use netdom to ensure SID history is enabled and SID filtering is disabled. Type:
netdom trust contoso.local /quarantine /enablesidhistory:yes /domain priv.contoso.localThe output should indicate either “Enabling SID history for this trust” or “SID history is already enabled for this trust”.
The output should also indicate that “SID filtering is not enabled for this trust”. See https://technet.microsoft.com/library/cc772816(v=WS.10).aspx for more information.